enrich simple-AASM , BINV with functions Σ . : PayDetailsSet → nat; filter : (PayDetails → bool) × PayDetailsSet → PayDetailsSet; predicates ABINV : (name → nat) × (name → nat) × (name → nat) × (name → PayDetailsSet) × (name → status) × (name → nat) × (name → PayDetails) × messageset × message; definitelyLost : (name → PayDetailsSet) × (name → PayDetails) × (name → status) × PayDetailsSet; maybeLost : (name → PayDetailsSet) × (name → PayDetails) × (name → status) × PayDetailsSet; balandlostok : (name → nat) × (name → nat) × (name → nat) × PayDetailsSet × PayDetailsSet × PayDetailsSet; variables Ppd : PayDetails → bool; maybelost, chosenlost, definitelylost : PayDetailsSet; balance0 : name → nat; axioms maybeLost-def : ⊦ maybeLost(exLog, pdAuth, state, maybelost) ↔ (∀ pd. pd ∈ maybelost ↔ toInEpv(pd, pdAuth, state) ∧ (fromLogged(pd, exLog) ∨ fromInEpa(pd, pdAuth, state))) ; definitelyLost-def : ⊦ definitelyLost(exLog, pdAuth, state, definitelylost) ↔ (∀ pd. pd ∈ definitelylost ↔ toLogged(pd, exLog) ∧ (fromLogged(pd, exLog) ∨ fromInEpa(pd, pdAuth, state))) ; balandlostok-def : ⊦ balandlostok(balance, lost, balance0, chosenlost, definitelylost, maybelost) ↔ (∀ na. authentic(na) → lost(na) = Σ filter(λ pd. pd .from = na, definitelylost ∪ chosenlost) ∧ balance(na) = balance0(na) + Σ filter(λ pd. pd .to = na, maybelost \ chosenlost)) ; ABINV-def : ⊦ ABINV(balance, lost, balance0, exLog, state, nextSeqNo, pdAuth, ether, outmsg) ↔ (∃ maybelost, chosenlost, definitelylost. maybeLost(exLog, pdAuth, state, maybelost) ∧ definitelyLost(exLog, pdAuth, state, definitelylost) ∧ chosenlost ⊆ maybelost ∧ balandlostok(balance, lost, balance0, chosenlost, definitelylost, maybelost)) ; sum-empty : ⊦ Σ ∅ = 0; used for : s, ls; sum-insert : ⊦ Σ (pds ++ pd) = ((pd ∈ pds ⊃ Σ pds; Σ pds + pd .value)); used for : s, ls; filter-empty : ⊦ filter(Ppd, ∅) = ∅; used for : s, ls; filter-insert : ⊦ filter(Ppd, pds ++ pd) = ((Ppd(pd) ⊃ filter(Ppd, pds) ++ pd; filter(Ppd, pds))); used for : s, ls; comment: This specification proves the backward simulation condition (theorem 'correctness') for the refinement from simple-AASM to simple-BASM (this is of course not yet the full verification of ASM refinement). While the ASMs are approximations of the full Mondex data types, the proof uses the same invariants as the full proof and has exactly the same cases than the full proof (so basically doing the full proof of backward simulation was done using copy and paste). There is no need to split the proof into lemmas for the individual operations here, since we have avoided grouping operations (ABORT must be verified only once) as well as using IGNORE (the proof obligation states that there is a 1:1 or 0:1 diagram). ; end enrich